Path Traversal when upload file in metersphere/metersphere

Valid

Reported on

Dec 25th 2022

metersphere allow users to upload file, but not check the file name.

Poc can be found in the link

Impact

file overwriiten , remoe code injection and so on.

References

We are processing your report and will contact the metersphere team within 24 hours. 15 days ago

We have contacted a member of the metersphere team and are waiting to hear back 14 days ago

A metersphere/metersphere maintainer gave praise 14 days ago

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

lujiefsi

commented 12 days ago

Researcher

Hi, could you please vaild this report and assigne a cve once we fix it?

lujiefsi

commented 10 days ago

Researcher

@admin will my comment be sent to maintainer by email?

A metersphere/metersphere maintainer

commented 7 days ago

Maintainer

The vulnerability has been fixed and CVE-2022-46178 has been issued. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46178 https://github.com/metersphere/metersphere/security/advisories/GHSA-9p62-x3c5-hr5p

lujiefsi

commented 7 days ago

Researcher

that's good, and could you please valiad this report without assign cve

A metersphere/metersphere maintainer validated this vulnerability 7 days ago

lujiefsi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A metersphere/metersphere maintainer marked this as fixed in v2.5.1 with commit 3a890e 7 days ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

A metersphere/metersphere maintainer published this vulnerability 7 days ago

to join this conversation

We are processing your report and will contact the metersphere team within 24 hours. 15 days ago

We have contacted a member of the metersphere team and are waiting to hear back 14 days ago

A metersphere/metersphere maintainer gave praise 14 days ago

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

lujiefsi

commented 12 days ago

Researcher

Hi, could you please vaild this report and assigne a cve once we fix it?

lujiefsi

commented 10 days ago

Researcher

@admin will my comment be sent to maintainer by email?

A metersphere/metersphere maintainer

commented 7 days ago

Maintainer

lujiefsi

commented 7 days ago

Researcher

that's good, and could you please valiad this report without assign cve

A metersphere/metersphere maintainer validated this vulnerability 7 days ago

lujiefsi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A metersphere/metersphere maintainer marked this as fixed in v2.5.1 with commit 3a890e 7 days ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

A metersphere/metersphere maintainer published this vulnerability 7 days ago

to join this conversation